Search code examples
permissionsazure-devopsazure-devops-rest-api

Can I grant permissions to a pipeline so it can read information for a different project in Azure Devops using the API?

I'm trying to use this Azure DevOps API call:

GET https://dev.azure.com/{organization}/_apis/projects/{projectId}?api-version=5.1

Documented here, to retrieve the name of a project when I have it's ID. Note that the pipeline is attempting to retrieve project information for a project other than the one in which it's defined. Here's the code, which works when the pipeline provides its own project ID:

  $VstsBaseRestUrl = "$(System.TeamFoundationCollectionUri)"

  $projectsUrl = "$VstsBaseRestUrl/_apis/projects/${{ parameters.project }}?api-version=5.1"

  $rawResponse = Invoke-WebRequest -UseDefaultCredentials -Uri $projectsUrl -Method Get -ContentType "application/json" -Headers @{
        Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"
    }

The response is returned as:

{"$id":"1","innerException":null,"message":"VS800075: The project with id 'vstfs:///Classification/TeamProject/xxxxx' does not exist, or you do not have permission to access it.","typeName":"Microsoft.TeamFoundation.Core.WebApi.ProjectDoesNotExistException, Microsoft.TeamFoundation.Core.WebApi","typeKey":"ProjectDoesNotExistException","errorCode":0,"eventId":3000}

I'm using the correct project ID, so how do I grant permission to the pipeline to authorise this call?

Note: I'd rather not use a PAT if I don't have to, i.e. somehow granting this to the build account so that the SYSTEM_ACCESSTOKEN approach continues to work.

Solution
    • how do I grant permission to the pipeline to authorise this call?

    Let's say you call above rest api to retrieve Project B's information from the pipeline in project A.

    You need to grant the build service account of project A the View project-level information in project B. Below is the detailed steps.

    1, Go the project settings of project B(the project you want to retrieve the information) --> Permissions --> select Build Administrator group(You can also create a new group)

    enter image description here

    2, Click Members tab of Build Administrator group --> Click Add --> Add the build service account of project A.

    The build service account of project A is like this: NameofProjectA Build Service (NameofOrganization) eg. ProjectA Build Sevice (MyOrganization)

    enter image description here

    Optional:

    You can also create a new group in project B and add The build service account of project A to its memebers. And make sure View project-level information is allowed

    enter image description here